Here at Conviso we are always talking with our customers about the Vulnerability Management process, and we emphasize that this structure is extremely important when we talk about software security.
However, we still find many managers and development professionals who understand vulnerability management as simply running a tool that will scan for vulnerabilities.
Vulnerability Management Framework
So, I want to start with an excerpt from an article published by Gartner where it demonstrates the construction of a vulnerability management framework.
“One of the most common ways to fail at VM is by simply sending a report with thousands of vulnerabilities to the operations team to fix. Successful VM programs leverage advanced prioritization techniques and automated workflow tools to streamline the handover to the team responsible for remediation.”
We believe that the vulnerability management process is something that has no recipe, you can’t buy it ready, you cannot go to a store or consultancy and buy a box with the process inside.
Build, adjust and test
So this process must be built, adjusted, tested and then continuously improved within a cycle that is repeated over and over again.
Gartner defines a Vulnerability Management process as follows:
“… as the process cycle for finding, assessing, remediating and mitigating security weaknesses on information systems. As parts of this process, policy and scope definition, assessment, remediation, mitigation and monitoring are required.”
A conceptualization of vulnerabilities
Right after we understand the concept given to the vulnerability management process, we need to understand the various concepts that we can identify about vulnerabilities.
Many writers and professionals see vulnerability as something “susceptible to attack” or even something that is “available”.
Here we will make it clear that the concept of vulnerability will be a flaw that can provide the exploitation of the application, generating an impact.
A threat that takes advantage of vulnerabilities can induce a chain of events resulting in adverse consequences for the organization.
What are the role and importance of Vulnerability Management?
It is evident that working with software security in a preventive way is one of the cheapest and most efficient ways to guarantee the security of the final product.
This is very clear when we compare results obtained with the implementation of a correct secure development process and the amount spent on the vulnerability correction process or even legal problems caused by vulnerabilities exploited in the software.
However, we still find companies where the thought remains to act only at the end of the process, and, furthermore, through very specific tests.
The Vulnerability Management process as we understand is much more complete and complex than simply using a tool to show vulnerabilities present in code.
And a vulnerability management process is much bigger, it needs more attention and involvement, but its results are much higher than what is invested in the creation, use, and maintenance of the process.
We can turn to Gartner again to get a good idea of a Vulnerability Management process.
But, what is interesting about a process is that it is not fixed, rigid or even immutable, and with this we can imagine that the construction of your Vulnerability Management Process can be done having the characteristics of your team, this is fantastic!
I hope that, by now, you have understood that if your supplier, or even your team, give you a report containing a lot of vulnerabilities and asks your team to resolve it, this is not a vulnerability management process!
I say this because it is not uncommon to find companies that receive this type of report. Still many receive the raw report, as well as leaving the miracle code validation tool, without any analysis.
This is definitely not Vulnerability Management!
When a company decides to act correctly in vulnerability management, it gains control over its development process, increases control over the security of its software and the maturity of its team.
What are the attacker’s thoughts?
When looking at a vulnerability alone and treat it based only on its criticality, we tend to miss some very important points.
One of the main points that we leave out is undoubtedly the attacker’s thinking. In general, the attacker does not think about the criticality of the vulnerability, but about the effective use in search of a result.
An example of this is seen when we are talking about the vulnerabilities listed in the OWASP TOP 10.
As we know they are not the most dangerous vulnerabilities, however, they are used over and over again as a gateway to far more sophisticated attacks.
The prioritization of corrections is a fundamental factor for the success of an effective process. Vulnerability management is, again, a process that must be viewed from many angles, never in a single aspect.
For the prioritization to be done correctly, a series of steps and understandings must be observed such as the impact on the business from the exploitation of a vulnerability. ,
Furthermore, it is necessary to have a global view of the assets and the vulnerabilities, as this way we will be able to apply a correction priority criteria more effectively.
In its article entitled “Implement a Risk-Based Approach to Vulnerability Management” Gartner brings us some interesting data that should be observed when dealing with vulnerability fixes, perhaps one of the most critical is time.
We know that fixing a vulnerability is not and is unlikely to be a simple and quick process, especially in complex structures that need to change assessments.
When we have a mature process implemented and being used, we have the guarantee that we will be able to make the necessary corrections in a more organized and structured way.
How would a Vulnerability Management Process be like?
As we said, a vulnerability management process is much bigger and more complex than just running a tool.
We need within the process to define some steps, steps, resources, and tools that will be used.
As we can see, there is a logic, a sequence in the execution and performance of actions within a process.
Therefore, we say that the construction of a process is something that manages to be flexible and that it can and must follow the structure of the company, reflecting its needs and objectives.
We can understand that, in a basic way, all vulnerability management process must present at least these steps.
Remediação de Vulnerabilidades: Quando possível, proceder com a atualização da estrutura para evitar possíveis problemas posteriores.
Identification of vulnerabilities: The process must start with the evaluation of the results of the tools and tests used for data collection.
Vulnerability verification: after being identified, the vulnerability must go through an analysis process, identification of possible exploitation scenarios, their impacts, and their criticality. Only then can we create a list to work on corrections.
It is important to remember that tools produce numerous false positives and worse false negatives, and this must be taken into account when analyzing the results.
Prioritize: Assess which vulnerabilities will be mitigated or corrected first based on your ability to address the vulnerabilities.
Vulnerability Mitigation: At this point we will decide on the corrections, implementations of compensatory controls and the search for a solution to the root problem of the vulnerability. Always evaluating if there are more appropriate forms of correction/mitigation and what are the forms of exploitation.
Remediation of Vulnerabilities: When possible, proceed with updating the structure to avoid possible subsequent problems.
Have full control and visibility on all the vulnerability process
The vulnerability management process is complex and requires a high degree of control.
We need to have support for various controls and how the vulnerabilities will be fixed, maintained and tested. This process becomes even easier when we correctly use a platform developed appropriately for the vulnerability management process.
The search for a well-developed and robust process should be the objective of every manager who aims to improve the security of his application, and it will not be only with the tool reports that he will achieve it.
We as AppSec professionals must not confuse a vulnerability management process with the sporadic execution of scanning tools.
The use of these tools must be part of the process, and therefore, they are only a small piece of the whole.
I hope this article has been able to further clarify the concepts behind a vulnerability management process.